Articles on: General
This article is also available in:

Enabling HSTS

HSTS stands for HTTP Strict Transport Security. It is a security measure that ensures visitors can only communicate with your website via a secure connection ( HTTPS). HSTS prevents vulnerabilities such as man-in-the-middle attacks, guaranteeing that the communication between the user and your website remains secure.



Implementing HSTS


Follow these steps to easily implement HSTS:


  1. Ensure a valid SSL certificate:

Your website must fully function over HTTPS.


  1. Edit the .htaccess file:

  • Open the .htaccess file in your website’s root directory (e.g., domains/voorbeeld.cc/public_html).
  • If no .htaccess file exists, create one.
  • Add the following line:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  • Explanation:

  • max-age=31536000: browsers will enforce HTTPS for 1 year.
  • includeSubDomains: also applies to all subdomains.
  • preload: optional, for inclusion in the HSTS Preload List.


  1. Save and close the file.
  2. Test your website:

Verify everything works correctly, and use tools like SSL Labs SSL Test to validate your setup.


Important: Only implement HSTS if your site will consistently support HTTPS.


Key Considerations


  • SSL certificate required: Your website must operate fully over HTTPS.
  • Test on a subdomain first: To reduce potential risks.
  • Use a cautious max-age initially: Start with a short duration (e.g., 300 seconds).
  • Be careful with includeSubDomains: Ensure all subdomains support HTTPS.
  • Delay using preload: Preloading is difficult to undo once active.
  • Ensure all external resources load via HTTPS.
  • Monitor your website carefully after activation.
  • Document your changes for easy reference.


HSTS Preload List


The HSTS Preload List is maintained by browsers like Chrome, Firefox, and Safari to enforce HTTPS-only access for certain domains.


Benefits:


  • Enhanced security: protects against network and man-in-the-middle attacks.
  • Faster connections: eliminates the initial HTTP request.


When to submit:


  • Only after thorough testing and 100% HTTPS compatibility.
  • Only if you intend to permanently use HTTPS.


👉 More info and submission: hstspreload.org

Updated on: 23/05/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!